Method and system for securing network-based electronic voting

ABSTRACT

A method and system for securely voting over a network, such as a global computer network, involves a system which delivers an electronic ballot from a server with the server&#39;s private key and a vote serial number on the ballot to an individual terminal connected to the network. The ballot may be filled in and a subset of the filled-in ballot is created with a digital signature created from the individual&#39;s secret key on the subset of the ballot corresponding to the ballot choices. The subset of the filled-in ballot together with the individual&#39;s electronic signature, and a vote serial number is then delivered to the server. A data element is then created to record a subset of the ballot in a data store at the server, in which the ballot vote information is retained as a vote.

FIELD OF THE INVENTION

[0001] The invention relates to a method and system which provides thesecurity techniques required to secure a voting system for use on a widearea network such as the global computer network, or on a local areanetwork.

BACKGROUND OF THE INVENTION

[0002] The current approaches to provide a secure voting system on awide area or local area network have traditionally emphasized purelycryptographic-protocol-based solutions to secure the voting. The workdone to date is largely purely research into specific issues in secureelectronic voting and does not address the practical application into areal-world system.

[0003] The prior art has approached worldwide area network, for example,on the global computer network known as the Internet™, elections as anextension of secure, electronic commerce techniques without providing acomprehensive approach to the significant threats, vulnerabilities andrisks that threaten the security, authenticity and reliability of suchelections.

[0004] Internet elections must achieve the objectives of conventionalelections, specifically: “democracy” (only registered citizens may voteonce in any election), accuracy (votes may not be altered, forged ordeleted), “privacy” (no one may know how anyone else voted or prove howthey voted), and “verifiability” (everyone should be able to verifytheir own ballot, as well as the correctness of the entire election).Moreover, Internet elections address additional capabilities: “mobility”(individuals should be able to vote from any Internet-accessiblelocation, at any legal time), “convenience” (voting should be simple andconvenient for everyone), and “flexibility” (the technology should beapplicable to all elections).

[0005] Internet voting systems must achieve these objectives in the faceof both conventional election threats, and threats specific toautomated, distributed computer systems, including: fraud, abuse ofprivilege (privileged individuals may act inappropriately), denial ofservice (computer services may be impaired or rendered inaccessible),software flaws, tampering (of recorded ballots or other data), malicioussoftware, wiretapping (sniffing, modification or replay ofcommunications), vote selling, or masquerading (by client/servercomputers or by people).

[0006] The prior art has taken several approaches towards Internetelection systems. Electronic commerce or E-Commerce approaches rely onsecuring communications through encrypted connections and verifyingindividual identity only through weak or single-factor authentication(e.g., passwords). Encrypted Absentee Balloting systems emulateconventional absentee balloting by using ballots that are doublyencrypted using symmetric keys. Cryptographic protocols, particularlythose relying on asymmetric or public-key cryptography hold the greatestpromise but have been relegated largely to the academic community.

[0007] All these techniques have characteristic weaknesses. E-Commercetechniques secure only voter-system communications. They provide weakauthentication and no (strong) mechanisms for achieving democracy,privacy, accuracy or verifiability. Encrypted Absentee Ballot systemsprovide better privacy, but provide no stronger mechanisms fordemocracy, accuracy or verifiability, and are vulnerable to abuse ofprivilege, potentially compromising the keys used to ensure privacy.Many of the cryptographic protocols developed to date are complex,making implementation verification difficult. Public-key cryptographyand digital signature techniques promise strong authentication, accuracyand verifiability. However, the generation and distribution ofpublic-private (secret) key-pairs, and the protection of private keys,makes these techniques difficult to apply to large-scale applicationssuch as Internet voting.

[0008] Specifically, it has been recognized that existing private-keymanagement techniques, i.e., PKI approaches, are not acceptable if theyrequire the end users to buy, install or configure anything, or requireany particular type of client device. Such considerations becomeparticularly significant when there may be huge numbers of end users,for example, 100,000 to 1,000,000, such as may be the case in anelection.

[0009] It is recognized that PKI technology supports the use ofpublic-key cryptography by providing various means to generatepublic-private (secret) key pairs, protect access to the private(secret) key so that it can be used only by the individual with whoseidentity it is associated, and provide for distribution and convenientaccess to the public key. Common strategy involves generation ofpublic/secret key pairs on a user's personal computer by an applicationsuch as a web browser, storage of the private key within a personalidentification number (PIN) protected, encrypted key-store file on theuser's personal computer (PC), and exportation of the public key to acertificate authority, for example, where it is wrapped in a digitalcertificate, such as an X.509 digital certificate, and made availablefor public access on a lightweight directory access protocol (LDAP)certificate directory service.

[0010] This approach has advantages in that it is convenient and theprivate keys never leave the user's PC. Disadvantages result, however,because even though the private keys are protected in PIN-basedencrypted files, PCs offer little protection against key-storecryptoanalysis by malicious software, and user mobility is impaired asit requires effort to export a private key so that it can be used onanother platform.

[0011] An alternative strategy involves generation of public/secret keypairs on a secure platform rather than the user's PC, for example, aserver. Yet still further, the approach involves storage of the privatekey, and perhaps other authentication-related data, on a storage devicesuch as a password-encrypted floppy disk, or on a password-protectedtoken/dongle, Java-ring (iButton) or smart card devices, as well asexportation of public keys and digital certificates as described withrespect to the first approach.

[0012] One advantage of this approach is that the private key is moreeasily accessed from various computers, facilitating mobility, so longas there is a hardware interface for the private-key device. Inaddition, the private key is better protected within a removable device.Resultant disadvantages include the fact that the server must beverified not to make/leave copies of the private key. In addition, theremust be some sort of hardware interface to allow retrieval of the keyfrom the storage device, e.g., disk drive, USB port, iButton/smart cardreader, etc. Yet still further, these hardware interfaces may beexpensive, difficult to install/configure, and may not be universallyavailable, thus inhibiting mobility.

[0013] The advantages and disadvantages of the above-identified twoapproaches have led to a third approach. In the third approach,generation of public/secret key pairs is done on a secure platform otherthan the user's PC, for example, a server. The secret keys are stored inencrypted form on the secure server and downloaded to the client over asecure network connection as needed to support authentication, digitalsignature or encryption operations. The server must authenticate theuser by some non-PKI-based method before allowing the user to downloadtheir private key. In most cases, this will still require someauthentication device.

[0014] While providing further refinements and including advantages suchas convenience and mobility being improved because private keys arealways available from a network server, and no hardware interfaces arerequired on the client device, significant disadvantages still remain.

[0015] Initially, it is noted that there is a need for a secondarystrong authentication technique that requires hardware token support,e.g., SecureID. In addition, such hardware tokens incur additionalexpense, and private keys are stored on a secure server using one ormore keys known to the server, thus requiring the server to protectaccess to and use of these keys.

[0016] In all three approaches described, retrieval of private keys fromlocal/network storage is required for use within the memory of a PC orthin-client device, and exposes the key to potential compromise. Onlytokens with processors can perform the necessary cryptographicoperations without exposing the private key. None of the approachesoffer sufficient security, mobility and convenience at a sufficientlylow cost to make public/private key cryptographic services, e.g.,authentication, non-repudiation, encryption, attractive for applicationswith a potentially large number of users such as in the case of anelection with users numbering from anywhere between 100,000 to about10,000,000.

[0017] In order to make public/private key cryptographic servicesfeasible for such applications, there must be a low-cost way to generatepublic/secret keys, while providing secure storage for and access tothose keys without requiring special hardware or inconvenientprocedures. These advantages and other advantages are provided by thesystem and method described herein, and numerous disadvantages ofexisting techniques are avoided.

SUMMARY OF THE INVENTION

[0018] In accordance with one aspect of the invention, there is provideda method of securely voting over a network, which can be a local areanetwork, or a wide area network such as the global computer networkknown as the Internet™. The method involves delivering an electronicballot from a server with a vote serial number on the ballot, to anindividual at a terminal over a connection secured using both theserver's and the voter's private keys. Thereafter, the ballot is filledin with the voter's choices, which are digitally signed using thevoter's private key. The voter's ballot choices, bearing the voter'selectronic signature, and the vote serial number is then delivered tothe server. A data element is then created from the individual's digitalsignature of the ballot choices, the server's digital signature of thevoter's ballot choices (created using the server's private key) and thevote serial number to allow recording of the subset of the ballot in adata store at the server, and retaining the ballot information as avote. This data element is then digitally signed using the server'sprivate key to ensure its integrity and authenticity.

[0019] As described herein, the terms “individual”, “user”, “client”,and “voter” are used interchangeably, and refer to a person on their ownterminal which can be a personal computer or other like device on whichvoting in accordance with the method and system herein is achieved.

[0020] In a more specific aspect, the retention of the vote at theserver can be confirmed by signing the individual's signature of theballot, the server's signature of the ballot, and the vote serialnumber, and the signed confirmation is transmitted to the individual whosubmitted the ballot.

[0021] Yet still further, the method involves recording in the server'sdata store the server's digital signature of the ballot to allowverification at the server that all of the ballots cast have not beentampered with.

[0022] In a more specific application, while the ballots are initiallydescribed as being generated as an HTML document, to provide additionalsecurity, in an alternative form the ballot can be generated in bit-mapform such that the intentions of the voter or individual voting may bedetermined by monitoring the (x,y) coordinates of their mouse-clicks onthe ballot bit-map. This provides enhanced security, since to readbit-map documents requires advanced optical character recognitiontechnology, which in turn requires and imposes a large computing poweroverhead, thus making malicious hacking into the system significantlymore difficult and detectable.

[0023] In an alternative aspect, there is described a system forconducting secure voting over a network, for example, the globalcomputer network known as the Internet, or on a local area network. Thesystem includes a server having a data store associated therewith. Theserver is configured for connection to the network for communicatingwith terminals connected to the network. The server is furtherconfigured for delivering an electronic ballot having the vote serialnumber on the ballot, to an individual at a terminal connected to thenetwork, and the ballot being configured for being filled in by theindividual, and for having a subset thereof delivered to the server withthe individual's electronic signature, and the vote serial numberthereon.

[0024] Yet still further, the server is further configured for receivingthe ballot choices and creating a data element from the electronicsignature of the individual's ballot choices, the server's electronicsignature of the individual's ballot choices, and the vote serial numberto allow recording of the ballot choices in the data store and retainedtherein as a vote. This data element is then digitally signed using theserver's private key to ensure its integrity and authenticity.

[0025] In a further aspect, the server is programmed for confirmingretention of the vote at the data store by signing the individual'ssignature of the ballot choices, the server's signature of the ballotchoices and the vote serial number, and thereafter transmitting thesigned confirmation to the individual who submitted the ballot.

[0026] Yet still further, the system provides that the server isprogrammed for recording in the data store the server's digitalsignature of the ballot choices for allowing verification at the serverthat all of the ballots cast have not been tampered with.

[0027] In a still further aspect, the system is capable of generatingthe ballot as either a bit-map or an HTML document. The advantage of thebit-map document is that tampering or hacking becomes more difficultbecause bit-map documents require optical character recognition aspreviously discussed, such that malicious hacking is not easily achievedwithout detection.

BRIEF DESCRIPTION OF THE DRAWINGS

[0028] Having thus briefly described the invention, the same will becomebetter understood from the following detailed discussion presentedherein, with reference to the appended drawings, in which:

[0029]FIG. 1 is a system-level architectural view of how an operationalsystem implementing electronic voting over a network, such as the globalcomputer network known as the Internet, can be configured;

[0030]FIG. 2 is a block diagram illustrating the flow of the electronicballot and associated data elements between an individual or clientside, and a server side, managing the electronic voting method;

[0031]FIG. 3 is a block diagram showing in greater detail thecomponents, and data information exchange illustrated in FIGS. 1 and 2;and

[0032]FIG. 4 is an architectural diagram showing in greater detail how asystem and method as described herein could be deployed on a broad basison a network such as the global computer network known as the Internet.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

[0033]FIG. 1 is a system-level architectural view of how an operationalsystem and method as described herein might be implemented. The clientpersonal computer 11 or PC 11, typically a personal computer running anoperating system such as Microsoft Windows™, which may optionallyinclude a smart card reader 13 connected thereto, although this is notrequired. The PC 11 includes network access capability which can be tothe local area network, or to a global computer network 17. In the caseof a global computer network 17, the PC 11 would have access to theglobal computer network 17 through, for example, an Internet serviceprovider (ISP) 15, or alternatively, access to other parts of thenetwork might be through a direct cable modem, or a local, or a networkattachment to the global computer network 17.

[0034] On the server side, there is provided a primary interface to theentire system through a web server 19 in a conventional manner which iswell known to those of ordinary skill in the art, and which is common tomost electronic commerce architectures. The web server 19 interoperateswith a certificate authority 21, which can be for example, an enterpriseserver suite such as that available from Netscape Corporation. Thecertificate authority 21 uses a certificate-generating system, such asone like that available commercially under the name iPlanet, which isconventional, and which is one of many alternatives which can be used toimplement the functionality described herein.

[0035] In addition, the web server 19 can also interoperate and beconnected to a back end application or database server 23 and an LDAPcertificate directory server 25.

[0036] With respect to the LDAP certificate directory server 25, by wayof explanation, it can provide a certificate such as an X.509certificate, which is a text file that is used to contain informationabout an individual, together with an encoding of the individual'spublic encryption key to the system described herein. The certificatefile is then digitally signed by the certificate authority 21 thatissued it. If it is desired to use the public keys of a number ofindividuals in an open context, there has to be a way of accessing theX.509 certificates. This can be done by placing them on a lightweightdirectory access protocol server (LDAP) such as the LDAP certificatedirectory server 25 shown, through which access to those certificatescan be provided. For example, LDAP servers are provided commerciallythrough a number of entities, and it is possible to obtain from suchservers another party's public key certificate, for example, if it isdesired to provide digitally signed, encrypted electronic mail.

[0037] More specifically, LDAP is a protocol on a data architecture forstoring name-value pairs and on an LDAP certificate directory server 25there would be stored certificates, such as X.509 certificates bound toeach individuals' name.

[0038] With respect to the application database server 23, it is alsoconventional and well known to those of ordinary skill in the art. Suchan application database server 23 can be implemented using Java Servletsor Enterprise Java Beans (EJBs), which are typically small packets offunctionality to make it easy and more efficient to use the moresophisticated Java implementation of web server 19 functionality. Inoperation, the web server 19 receives a request for a certain web pageand in that web page is a reference to some call onto a piece of Javafunctionality that is written as a Java Servlet. An architecture knowngenerally as the application database server 23 architecture allows theweb server 19 to call functionality in the database server using JavaServlets or EJBs 23. The application/database server 23 is typically aseparate machine that is specifically optimized to support theinvocation of that kind of functionality, encoded, for example, as JavaServlets. . More particularly, the application database server 23 allowsinvoking of precompiled and packaged functionality that is written inthe form of Java Servlets, EJBs, or some other type of reusablecomponent.

[0039] In the case of the present system and method, the reusablefunctionality will involve, for example, delivery of a ballot, which canbe either in the form of an HTML or XML document, or for enhancedsecurity as will be described hereafter, in the form of a bit-map.

[0040] Thus, when a user interacts with the web server 19 from their PC11, a Servlet, or one or more EJBs, processes the request for the userto register with the system, including a request to cast a ballot. TheServlet or EJBs that are invoked present the ballot to the user, andhandle the interaction with the user in the course of casting the vote.

[0041] If it is desired to look at the results of an election, anotherServlet or a different set of EJBs can be invoked to support thatfunctionality. As may be appreciated by those of ordinary skill in theart, fine-grained packaging of functionality can be defined depending onthe capabilities to be implemented as described hereafter.

[0042] In one implementation, a Registrar of Voters 27 may also be tiedinto the system and would be responsible for the registration ofindividuals who are legitimately, legally allowed to vote in aparticular county. One way of conducting the registration is theconventional interacting in person with the Registrar of Voters, orthrough conventional mail. It is contemplated herein that suchregistration could be accomplished over the network, such as the globalcomputer network 17, in a manner that it may be desired to have anelectronic interface to the Registrar of Voters 27.

[0043] For example, one method of establishing the interface may be witha local Division of Motor Vehicles, particularly because of recenttrends toward making the Division of Motor Vehicles responsible foridentification and authentication of individual entities, and theRegistrar of Voters appears to be an organization that might be able touse such capability.

[0044] As will also be appreciated, in the case of implementing aninterface with the Registrar of Voters 27, some kind of X.509certificate exchange as discussed previously could also be implemented,and the use of certificates would serve to authenticate any sort ofinteraction with the Registrar of Voters 27. In addition, if anindividual submitted a registration or request, it could be digitallysigned and thus would require the individual's public key certificate inorder to validate the signature.

[0045] In all cases, it would be required to digitally sign someelectronic document, and the digital signature would have associatedwith it a well-known identity which can be looked up on a server such asan LDAP certificate directory server 25 to obtain the public keycertificate corresponding to the claimed identity, and to then verifythat the digital signature is actually a signature that could only havebeen generated by the individual having the claimed identity.

[0046] This is all standard public key infrastructure technology andwell known to those of ordinary skill in the art. In the case of theRegistrar of Voters 27, this could be done through a certified agent forregistering the voters, and there might be several methods by which suchagents could be implemented and authorized by the Registrar of Voters27. Irrespective of what system is implemented, the agent would beacting as a front end to the Registrar of Voters 27, and proxying theregistration to them, and so, it would have to be legally authorized todo so.

[0047] While on the server side a number of different individualfunctional components are shown, it will be appreciated as analternative that all the functions can be implemented on a singleserver, or depending on the size of the system, the functions can beallocated to separate servers which themselves may be replicated. Thisis an alternative architectural approach well known to those of ordinaryskill in the art, and only for the sake of clarity has the system beenshown in FIG. 1 as separate boxes, which could be co-located on a singlemachine or duplicated or replicated on multiple boxes depending on theload and degree of redundancy and tolerance desired.

[0048]FIG. 2 illustrates in block diagram form the data and informationflow which will occur in a system and method as described herein. Thecomponents of data flow are shown divided by a dashed line 45 whichseparates the client 41 side which relates to the individual and theindividual's PC, and is separated from the server 43 side.

[0049] A ballot 51 is shown on the client 41 side which has beendelivered from the server 43 side and can be some form of electronicdocument. The document can take various forms but for purposes of thedescription herein, the ballot 51 is assumed to be an HTML formdocument, although more secure type and untamperable documents such asbit-map representations can also be deployed in accordance with thesystem and method.

[0050] The difficulty in building a system and method for such voting isbeing able to verify that only a single individual can cast a ballot,that they can cast only one ballot, and that it cannot be tampered withor undetectably altered or detected in any manner. FIG. 2 illustratesthe essential implementation for being able to achieve these goals.

[0051] The ballot 51 is delivered, for example, to the home PC 11through the web server 19 from the application database server 23, allof which were previously described with respect to FIG. 1. Using thehome PC 11, through a web browser, an individual can go through and makeselections on the ballot, and after pressing enter or casting theballot, the individual's PC 11 transmits back a subset of that formconsisting of the ballot choices and the voter's digital signature ofthe ballot choices, DS(B,c).

[0052] Thus as is shown in FIG. 2, in the top arrow line from the ballot51, the selection is delivered as a representation to the server side55. The ballot and response values are structured in a way that it iseasy to read the response values and determine which issues or officeswere being voted on, and what the selections were. Those values areparsed and stored into a relational database, the structure of whichwill be described hereafter with reference to a separate figure. Whenthe ballot is received on the server side 43 as shown by the dashed linebox 53, the server computes DS(B,s), a digital signature of the ballotusing the server 43 private key.

[0053] In FIG. 2, in labels such as DS(. . . ,C) or DS(. . . ,c), anupper case letter means a public key, and a lower case letter means asecret or private key, so that in any particular block, this refers tothe fact that when a ballot is received, the server creates a digitalsignature of the ballot using the server's secret or private key. On theclient 41 side, when an individual casts a ballot 51, the client 41 sidecreates a digital signature of the ballot 57 using the individual'ssecret or private key. Thus, both of these signatures, one created bythe individual, and the other created by the server, can only have beencreated by the respective entities because they are both signatures thatare created using the respective secret or private keys.

[0054] The individual's signature of the ballot is then delivered to theserver 43 side where it is combined with three other elements at block59. Specifically, the server's signature 53 is combined with theindividual's signature 57 along with a vote serial number (VSN) whichis, for example, like a ballot serial number and can be an arbitrarynumber that goes from one to infinity. The vote serial number can begenerated per election, and has no relationship to the voter, and isjust an incidental sequence number that indicates a vote delivered inthe election. Those three elements are then digitally signed by theserver yielding DS(C,s), and the four combine into an aggregation ofcore components which is a ballot confirmation token. This allowsconfirmation that a particular ballot has been retained in the systemand no tampering has occurred. That token is then transmitted back tothe individual as a confirmation token 61. The confirmation token 61 canthen be encrypted with the individual's public key, thus rendering itundecipherable to anyone except the individual.

[0055] Such encryption is not mandatory but may be desirable, dependingon other specific implementations of the system and method. For purposesof the disclosure herein, it is noted that while the term “token” isreferred to, it could be characterized as a data element which is thesignature confirmation by the server, in particular, the confirmationwhich has three components and a digital signature. Thus, by tying thesecomponents together, and having the server sign the components, if lateron someone submits the confirmation, the server can verify that theconfirmation was issued by the server, minimizing the possibility thatconfirmations can be forged.

[0056] On the server 43 side, the server's digital signature is alsorecorded along with the vote or ballot as shown at block 55. If itbecomes desirable to verify that all of the ballots cast in the electionhave been untampered with, that can be done on the server 43 side usingonly the contents of the database and the server ballot signatures whichhave been recorded in the data store.

[0057] This is further illustrated by arrow 63 which illustratesuniversal verifiability. More specifically, a search is conductedthrough the database in a manner indexed to a vote serial number, andfor each vote serial number, a ballot is reconstructed. Thereconstructed ballot has no identification back to the voter and iscompletely anonymous. However, the ballot responses are the same asthose that the individuals generated when the ballot was cast. A digitalsignature can then be created over the reconstructed ballot using theserver's public key, and that signature can be verified against thesignature that was recorded when the individual cast the ballot that wascreated using the server's private key. Thus, the arrow 63 representsthe validation of the server's ballot signature created with its privatekey, against the server's ballot signature that was generated from thereconstructed ballot using the server's public key. This can be done forall of the ballots stored in the system, and thus, it can be verifiedthat none of the ballots have been tampered with at any point in timeafter a ballot has been cast. This is referred to as universalverifiability, which refers to the property that allows for verificationthat for all voters none of the ballots have been forged, deleted oraltered.

[0058] Consider now the case where an individual would want to connectto the system, i.e., on the server 43 side to determine if their ballotvote is properly recorded. In such a case, the individual can presentvote confirmation 61 through a transmission 67 to the server 43 side. Ofcourse, the individual will have to decrypt the confirmation 61 aspreviously discussed using their private key. The confirmation is thenpresented to the system which decomposes the confirmation into fourcomponents, which are represented by blocks 69, and have been previouslydiscussed with reference to blocks 59 and 61.

[0059] The digital signature on that confirmation can then berecomputed, and it can be verified that the confirmation has not beenaltered. Having done so, the vote serial number can then be extractedfrom the confirmation, and the database can be indexed to allowreconstruction of the voter's ballot exactly as cast.

[0060] The two horizontal arrows 71 and 73 illustrate what is known asindividual verifiability. The server's ballot signature can be extractedout of the confirmation and validated against the server's ballotsignature that is generated from the reconstructed ballot. This isdemonstrated by the exchange which occurs through arrow 71. Theindividual's ballot signature that was computed using the individual'sprivate key can also be validated by the comparison represented by arrow73 against the digital signature that has taken over the reconstructedballot using the voter's public key. This can be done because thecommunication between the individual and the server is protected, asillustrated later in FIG. 3, by a secure socket layer (SSL) connection101 that provides temporary access to the individual's public key.

[0061] In fact, in such an implementation, the public key of theindividual on the individual's end of the connection can be obtainedoutside of the system and once it is known what the individual's publickey is, the requirement for an LDAP certificate directory server 25 toobtain the public key can be eliminated.

[0062] As may be appreciated from the discussion of individualverifiability, in contrast to universal verifiability, individualverifiability provides two ways of verifying by using either theserver's digital signature or the individual's digital signature on theballot.

[0063]FIG. 3 shows in greater detail the general architecture shown inFIG. 1, and the data flow shown in FIG. 2. Specifically, the upper partof FIG. 3 shows the various components of the system along with boxesshowing the data flow, with the lower portion of FIG. 3 showing ingreater detail the various resultant tables assembled with ballots thathave been cast.

[0064] A smart card reader 13 can be implemented connected to anindividual's PC 11 on a smart card 103 which is read by the smart cardreader 13, and can have stored thereon an individual's private (orsecret) encryption key. A certificate such as an X.509 certificate fortheir public key, and their voter identification number which is anarbitrary sequence number generated when they register with the system,can also be stored on the smart card 103. The individual's PC 11 willtypically be running a standard web browser 105, such as is commerciallyavailable from Netscape Corporation, and inside the web browser 105 is aJava script interpreter 107 with the ballot 51 presented within the webbrowser 105. Although the ballot has been previously described, and isillustrated in FIG. 3, as an HTML or XML document, it can also takeother forms such as a bit-map, if enhanced security is desired.

[0065] While a personal computer 11 has been shown with a standardcommercially-available browser 105, it may also be appreciated that suchbrowsers are often not sufficiently secure. Thus, as contemplatedherein, it is also possible to implement in a manner well known to thoseof ordinary skill in the art, a non-commercial browser which avoids thesecurity pitfalls of currently-existing commercial browsers.

[0066] More specifically, it is common for malicious software toread/modify sensitive files on unsecure personal computers. Suchunsecure personal computer platforms can include those which are Intelprocessor/Microsoft Windows operating system, or Apple MacIntoshoperating system-based. Specifically, in such commercial systems, thesecurity ends at the client. As a result, the entire system may bevulnerable to attack by malicious software executing within theindividual's PC. With no individual platform security mechanisms, suchattacks could detrimentally impact information confidentiality,integrity, authenticity, or availability within the overall system.

[0067] In order to address such a problem which may be inherent in aconventional commercial web browser, and with ballots such as an HTML orXML document ballot 51, a protocol can be implemented that combinesanonymous context, and visual obfuscation to make it virtuallyimpossible for malicious software to knowledgably and undetectablyinterfere with a concurrently executing individual PC application inorder to impact information confidentiality, integrity and authenticity.

[0068] In accordance with the specific implementation of such securityas contemplated herein, and as will be readily apparent to those ofordinary skill in the art, cryptographic techniques, protocols and datarepresentation can be implemented in order to increase the work requiredof malicious software beyond what can be accomplished within a votingsession at an individual's personal computer 11. Specifically,implementation of visual obfuscation is intended to defeat the abilityof malicious software to determine or alter network content. Such atechnique would include but not be limited to variation of text, font,size, spacing, etc. The wording of the text associated with ballotchoices, the location of graphic components, the shape of image ofchoice/selection targets, explicit or implicit relationships betweengraphical elements, and in some cases, color, can also be implemented inan obfuscating manner. In addition, a technique for converting contentin HTML or XML format to image format can be employed as will be readilyapparent to those of ordinary skill in the art, making it difficult,with current OCR algorithms to intercept and alter the limited ballotinformation being transmitted. Such OCR techniques are generallyprocessor intensive, and thus attempts by malicious software to alter orinterpret such ballot information would be readily detected.

[0069] Thus, as shown in the FIG. 3 a voter ID and the public key of theindividual is transferred at 118 over an SSL connection 101 to the webserver 19 on the server 43. The server side 43 which includes a numberof function boxes assembled as one box 109. The web server 19 whichincludes an execution environment for Java Servlets 111 then sends aballot 119 obtained from a collection of ballots 113, to the individualPC 111 through a transmission 119. The individual then marks the ballotand returns the ballot as shown with arrow 121 with the choices thereon.The confirmation shown as block 61 is then returned as shown by arrow123.

[0070] It will be appreciated that within the collection 109 of functionboxes, separate functionality and information is provided, for example,from the collection of election ballots 113, vote serial numbers 119,and certificates 117, characterized preferably as X.509 certificates. Inthe Figure, block 115 is typically the application database server 23shown in FIG. 1 and serves to compile the election voter table, electiondatabase and optionally, a voter demographics database, all of whichwill be described hereafter with reference to the lower half of FIG. 3.

[0071] More specifically, the lower half of FIG. 3 illustrates how thevarious pieces of information/data are assembled. At block 151 it isseen that to provide voter anonymity, while retaining non-repudiationand election integrity, ballots are re-signed by the server beforeappending to the election database. In this case, at box 151, there arereflected the choices the individual ballot items that the individualvoter casts a vote for, and are stored in an election results table 157.

[0072] Table 157 conceptually includes four columns. The first column isthe election in which the votes are cast. A separate database can becreated per election but could also be done in this manner. The table157 is indexed by the vote serial number (VSN), the issue or officebeing voted on, and the choice the individual makes. Thus, this is thetable in which the ballot choices are stored. The voter's serial numberis also stored in a table 155 which is an election verification table.The purpose of this table is to retain the digital signatures thatprotect the integrity of the ballot and the election verification tablehas at least three columns and perhaps others. The election verificationtable is indexed by the vote serial number. It includes a column fortime and a column for the digital signature. Optionally, demographicdata could also be input into the election verification table 155 aslong as this information would not, through inference or aggregation,divulge the voter's identity.

[0073] On the left side is shown the election voter table 153 which is ahashed table that in order to achieve single-vote verification, toensure that individuals cannot vote multiple times, provides that thevoter identification or ID is encrypted or hashed using a one-waytransform. One option is to employ an encryption using the individualvoter's public key, but any one-way transform would work. The contentsof the table 153, since they are generated by a one-way hashed functionare not reversible, so it is impossible to look into the table to seewho voted. However, if an individual tries to vote more than once, thehash entry will collide with any new attempt to cast a second vote, andthus, there is provided a way of detecting a subsequent voting attemptwithout divulging anything about the identity of the individual.

[0074] Turning now to FIG. 4, there is illustrated in block diagram forma large-scale production voting system architecture. Registrationclients 201 at their personal computers are shown as able to registerthrough connection through the global computer network 205, through avoting firewall 207, web servers 209 and application database servers211, which may be ultimately connected to a Registrar of Voters system221. The Registrar of Voters system 221 may provide registrationinformation to a registration server 215 which cooperates as previouslydescribed with certificate directory servers 219, and certificateauthority servers 217, and in cooperation with the other elements toallow delivery of a ballot to voting clients 203 to accomplish voting aspreviously described herein.

[0075] Having thus generally described the invention, the same willbecome better understood from the following claims in which it is setforth in a non-limiting manner.

1. A method of securely voting over a network, comprising: delivering anelectronic ballot from a server with the vote serial number on theballot, to an individual; filling in the ballot and creating a set ofballot choices that are digitally signed using the individual's secretkey; delivering the ballot choices with the individual's electronicsignature, and the vote serial number to the server; and creating a dataelement from the individual's electronic signature over the ballotchoices, the server's electronic signature over the ballot choices andthe vote serial number to record the ballot choices in a data store atthe server, and retaining the ballot choices as a vote.
 2. The method ofclaim 1 further comprising confirming the retention of the vote at theserver by signing the individual's signature of the ballot, the server'ssignature of the ballot and the vote serial number, and transmitting thesigned confirmation to the individual who submitted the ballot.
 3. Themethod of claim 1, further comprising: recording in the server's datastore the server's digital signature of the ballot to allow verificationat the server that all of the ballots cast have not been tampered with.4. The method of claim 3, further comprising: verifying for allindividuals voting that none of the ballots have been tampered with byreconstructing the ballot for each individual using the vote serialnumber, creating a digital signature over each reconstructed ballot byusing the server's public key, and verifying the digital signatureagainst the ballot signature using the server's private originallyrecorded when the individual created and submitted the ballot with theindividual's private key and verifying the digital signature against theballot signature originally recorded when the individual created andsubmitted the ballot, digitally signed with the individual's privatekey.
 5. The method of claim 2, further comprising: allowing theindividual to verify that their ballot is retained in the server's datastore accurately reflecting the way it was cast by presenting theconfirmation to the server; decomposing the confirmation into theindividual's signature of the ballot, the server's signature of theballot, the vote serial number and the server's signature which resultedin the confirmation; recomputing the server's signature on theconfirmation to ensure the confirmation has not been altered; extractingthe vote serial number out of the confirmation if it has been verifiedthat the confirmation has not been altered; and indexing a database inthe server to allow reconstruction of the individual's ballot as it wascast.
 6. The method of claim 5, further comprising: storing theindividual's private encryption key, a certificate for the individual'spublic key and a voter identification generated when the individualregisters with the system on a portable storage device; and reading theinformation on the portable storage device before allowing a ballot tobe cast.
 7. The method of claim 6, wherein said portable storage deviceis a smart card, and further comprising reading the information on thesmart card before allowing a ballot to be cast.
 8. The method of claim 6wherein said certificate is an X.509 certificate.
 9. The method of claim1, further comprising: entering demographic data onto the ballot andstoring the demographic data in relation to the ballot stored by theserver.
 10. The method of claim 1, further comprising: creating anelection voter table at the server from encrypted individual's voteridentification; and comparing each ballot to the encrypted individual'svoter identification to detect if an individual attempts to cast morethan one ballot.
 11. The method of claim 1 wherein said ballot is abit-map.
 12. The method of claim 1 wherein said ballot is an HTML or XMLdocument.
 13. A method of securely voting over a network, comprising:delivering an electronic ballot from a server with the vote serialnumber on the ballot, to an individual; filling in the ballot andcreating a set of ballot choices that are digitally signed using theindividual's secret key; delivering the ballot choices with theindividual's electronic signature, and the vote serial number to theserver; creating a data element from the individual's electronicsignature over the ballot choices, the server's electronic signatureover the ballot choices and the vote serial number to record the ballotchoices in a data store at the server, and retaining the ballot choicesas a vote; confirming the retention of the vote at the server by signingthe individual's signature of the ballot, the server's signature of theballot and the vote serial number; transmitting the signed confirmationto the individual who submitted the ballot; and allowing the individualto verify that their ballot is retained in the server's data storeaccurately reflecting the way it was cast.
 14. A method of securelyvoting over a network, comprising: delivering an electronic ballot froma server with the vote serial number on the ballot, to an individual;filling in the ballot and creating a set of ballot choices that aredigitally signed using the individual's secret key; delivering theballot choices with the individual's electronic signature, and the voteserial number to the server; creating a data element from theindividual's electronic signature over the ballot choices, the server'selectronic signature over the ballot choices and the vote serial numberto record the ballot choices in a data store at the server, andretaining the ballot choices as a vote; recording in the server's datastore the server's digital signature of the ballot to allow verificationat the server that all of the ballots cast have not been tampered with;and verifying for all individuals voting that none of the ballots havebeen tampered with.
 15. A system for conducting secure voting over anetwork, comprising: a server having a data store associated therewith,said server being configured for connection to the network forcommunicating with terminals connected to the network; said server beingfurther configured for delivering an electronic ballot having the voteserial number on the ballot, to an individual at a terminal connected tothe network, and said ballot configured for being filled in by anindividual, and for having a subset thereof corresponding to the ballotchoices delivered to the server with the individual's electronicsignature and the vote serial number thereon; and the server beingfurther configured for receiving the subset of the ballot and creating adata element from the individual's electronic signature over the ballotchoices, the server's electronic signature over the ballot choices andthe vote serial number to allow recording of the subset of the ballotwithin the data store and retained therein as a vote.
 16. The system ofclaim 15, wherein: the server is further programmed for confirmingretention of the vote at the data store thereof by signing theindividual's signature of the ballot, the server's signature of theballot and the vote serial number, and transmitting the signedconfirmation to the individual who submitted the ballot.
 17. The systemof claim 15, wherein: the server is programmed for recording in the datastore the server's digital signature of the ballot for allowingverification at the server that all of the ballots cast have not beentampered with.
 18. The system of claim 17, wherein: the server isprogrammed for verifying for all individuals voting, that none of theballots have been tampered with, by reconstructing the ballot for eachindividual using the vote serial number, creating a digital signatureover each reconstructed ballot by using the server's public key, andverifying the server's signature over the ballot choices originallyrecorded when the individual created and submitted the ballot choices.19. The system of claim 16, wherein: the server is configured forallowing an individual to verify their ballot is retained in theserver's data store in a manner accurately reflecting the way it wascast in response to the individual presenting the confirmation to theserver; for decomposing the confirmation with the individual's signatureof the ballot, the vote serial number and the server's signature whichresulted in the confirmation; recomputing the server's signature on theconfirmation to ensure the confirmation has not been altered, extractingthe vote serial number out of the confirmation if it has been verifiedthat the confirmation has not been altered; and for indexing a databasein the server to allow reconstruction of the individual's ballot as itwas cast.
 20. The system of claim 19, further comprising: a portablestorage device configured for connection and transmission of informationto the server, said information being an individual's private encryptionkey, a certificate for the individual's public key and a voteridentification number generated when the individual registered to votethrough the server; and the server being configured for receiving thevoter ID and public key certificate from the portable storage devicebefore allowing a ballot to be cast by the individual.
 21. The system ofclaim 20, wherein: said portable storage device is a smart card, andfurther comprising a smart card reader connected to the individual'sterminal.
 22. The system of claim 20, wherein: the server is configuredfor processing an X.509 certificate, and wherein said certificate on theportable storage device is an X.509 certificate.
 23. The system of claim15, wherein: the server is programmed for generating a ballot whichallows input of demographic data and for storing the demographic data inrelation to each ballot stored.
 24. The system of claim 15, wherein: theserver is programmed for creating an election voter table from a one-wayhash of individual's voter identification; and for comparing each ballotto the individual's hashed voter identification to detect if anindividual attempts to cat more than one ballot.
 25. The system of claim15, wherein said server is programmed to generate said ballot as abit-map.
 26. The system of claim 15 wherein said server is programmed togenerate said ballot as an HTML or XML document.
 27. A system forconducting secure voting over a network, comprising: a server having adata store associated therewith, said server being configured forconnection to the network for communicating with terminals connected tothe network; said server being further configured for delivering anelectronic ballot having the vote serial number on the ballot, to anindividual at a terminal connected to the network, and said ballotconfigured for being filled in by an individual, and for having a subsetthereof corresponding to the ballot choices delivered to the server withthe individual's electronic signature and the vote serial numberthereon; the server being further configured for receiving the subset ofthe ballot and creating a data element from the individual's electronicsignature over the ballot choices, the server's electronic signatureover the ballot choices and the vote serial number to allow recording ofthe subset of the ballot within the data store and retained therein as avote; and the server being further programmed for confirming retentionof the vote at the data store thereof by signing the individual'ssignature of the ballot, the server's signature of the ballot and thevote serial number, for transmitting the signed confirmation to theindividual who submitted the ballot, and for allowing an individual toverify their ballot is retained in the server's data store in a manneraccurately reflecting the way it was cast in response to the individualpresenting the confirmation to the server.
 28. A system for conductingsecure voting over a network, comprising: a server having a data storeassociated therewith, said server being configured for connection to thenetwork for communicating with terminals connected to the network; saidserver being further configured for delivering an electronic ballothaving the vote serial number on the ballot, to an individual at aterminal connected to the network, and said ballot configured for beingfilled in by an individual, and for having a subset thereofcorresponding to the ballot choices delivered to the server with theindividual's electronic signature and the vote serial number thereon;the server being further configured for receiving the subset of theballot and creating a data element from the individual's electronicsignature over the ballot choices, the server's electronic signatureover the ballot choices and the vote serial number to allow recording ofthe subset of the ballot within the data store and retained therein as avote; and the server being programmed for recording in the data storethe server's digital signature of the ballot for verifying at the serverthat all of the ballots cast have not been tampered with, byreconstructing the ballot for each individual.